Privacy Policy

Effective Date: 1 April 2026 | Last Updated: 1 April 2026

1. Who We Are

This Privacy Policy is published by OTD Business Solutions LLP ("we", "us", "our", "Company"), a limited liability partnership registered in India, acting as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act").

We operate the following products under separate brands:

BahiFlow (bahiflow.in) — automated B2B collections via WhatsApp for SMBs.
CAflow (caflow.in) — AI-powered GST extraction, filing, reconciliation, and practice management for Chartered Accountants.
RecallPilot (recallpilot.in) — WhatsApp-based patient engagement and Google review automation for local businesses (dental clinics, restaurants, hotels, salons, etc.).

This Privacy Policy governs the collection, use, and protection of data through the RecallPilot product. All products share a common backend infrastructure operated by OTD Business Solutions LLP.

Registered Address: #1974B, 15th Cross, 24th Main, Sector-1, HSR Layout, Bengaluru, Bengaluru-560102

Contact: contact@recallpilot.in

2. Data We Collect

2.1 Data You Provide Directly

Category	Examples	Purpose
Identity data	Business name, owner name, phone number, email address	Account creation, communication
Business details	Clinic/business address, Google Business Profile link	Review automation, location identification

2.2 Data Processed on Your Behalf (Patient/Customer Data)

Category	Examples	Purpose
Patient/customer contact details	Patient name, phone number	Sending reminders and review requests
Appointment data	Appointment dates, treatment type	Recall scheduling, care instructions
Engagement data	Satisfaction rating, Google review status	Review automation, satisfaction tracking

2.3 Data Generated Through Use

Category	Examples
Communication logs	WhatsApp messages sent/received, delivery status, timestamps
Review request records	Review request timestamps, review completion status
Recall schedules	6-month recall dates, reminder sequences
Satisfaction check results	Post-visit satisfaction responses, ratings
Consent records	Consent timestamps, method (explicit YES / implicit engagement)

2.4 Technical Data

We use session cookies only for the admin panel (Django session management). We do not use tracking cookies, advertising cookies, analytics pixels, or any third-party trackers on our platform.

3. Purpose of Processing

RecallPilot

Sending automated appointment reminders via WhatsApp
Sending satisfaction checks after patient/customer visits
Sending Google review requests with guided prompts
Sending 6-month recall reminders
Sending post-treatment care instructions
Generating monthly results reports
Emergency after-hours auto-responses
Birthday and campaign messages (optional, when enabled by the business)

General

Account management and user authentication
Customer support via WhatsApp
Subscription billing and invoicing
Compliance with applicable laws
Security monitoring and fraud prevention

4. Legal Basis for Processing

Basis	Application
Consent (DPDP Act s6)	We obtain consent via WhatsApp keyword ("YES" to confirm, "STOP" to withdraw). Your first message interaction constitutes implicit consent for the purpose of that interaction.
Contract performance	Processing necessary to deliver the services you have subscribed to (appointment reminders, review requests, recall reminders).
Legal obligation	Retention of business records as required by applicable law.

5. Third-Party Data Sharing

We share data only with the following third parties, strictly for the purposes described:

Third Party	Data Shared	Purpose	Location
Meta / WhatsApp Business API	Phone numbers, message content	Sending and receiving WhatsApp messages	Global (Meta infrastructure)
Amazon Web Services	Patient/customer data, business configuration	Secure data storage and application hosting	ap-south-1 (Mumbai, India)
Google Gemini API	Message content for AI processing	Natural language understanding for patient responses	Google Cloud (may be outside India — see Section 10)
Razorpay	Business name, subscription amount	Subscription billing and payment processing	India
Google Business Profile	Review links only — no data sent TO Google by us	Directing patients/customers to leave Google reviews	N/A (outbound links only)

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

6. Data Retention

Data Type	Retention Period	Legal Basis
Patient/customer data (name, phone, appointment details)	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Communication logs (WhatsApp messages)	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Business account data (owner name, email, phone)	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Review request and satisfaction records	Duration of business relationship + 1 year	Purpose limitation (DPDP Act)
Session cookies	24 hours (session-based)	Technical necessity

After the applicable retention period expires, data is permanently deleted or anonymized (personal identifiers removed).

7. Your Rights Under the DPDP Act

As a Data Principal under the DPDP Act 2023, you have the following rights:

Right	Description	How to Exercise
Right to Access	Request a summary of your personal data we process and the processing activities	Email the Grievance Officer
Right to Correction	Request correction of inaccurate or incomplete personal data	Email the Grievance Officer or reply via WhatsApp
Right to Erasure	Request deletion of your personal data, subject to legal retention requirements	Email the Grievance Officer
Right to Withdraw Consent	Withdraw consent at any time; processing before withdrawal remains valid	Reply STOP on WhatsApp or email the Grievance Officer
Right to Nominate	Nominate another person to exercise your rights in case of death or incapacity	Email the Grievance Officer

8. Security Measures

We implement the following technical and organizational measures to protect your data:

Encryption in transit: All connections use HTTPS with HSTS (HTTP Strict Transport Security) enabled for 1 year, including subdomains and preload.
Webhook verification: All incoming WhatsApp webhooks are verified using HMAC-SHA256 signature validation.
PII masking: All application logs mask personal identifiable information — only the last 4 digits of phone numbers appear in logs.
Session security: Admin sessions expire after 24 hours of inactivity, with secure and HTTP-only cookie flags in production.
Encrypted storage: Data stored on AWS uses server-side encryption.
Idempotency checks: Duplicate webhook messages are detected and rejected to prevent data corruption.
Rate limiting: API endpoints are rate-limited to prevent abuse.
Access control: Role-based access control (RBAC) ensures users only access data belonging to their organization.

9. Cookies

We use session cookies only for the Django admin panel. These cookies:

Are strictly necessary for admin authentication
Expire when the browser is closed or after 24 hours of inactivity
Are marked as Secure and HTTP-only in production
Do not track users across websites

We do not use any advertising, analytics, or third-party tracking cookies. No cookie consent banner is required as we only use strictly necessary session cookies.

10. Cross-Border Data Transfers

Disclosure: The following data transfers may involve processing outside India:

Service	Data Transferred	Destination
Google Gemini API	Message content for natural language understanding (patient responses, satisfaction checks)	Google Cloud servers (location determined by Google; may be outside India)
Meta / WhatsApp Business API	Phone numbers, message content	Meta global infrastructure

All other data (AWS storage, database) is processed within India (ap-south-1, Mumbai). If the Government of India notifies specific categories of data requiring mandatory localization under the DPDP Act, we will take steps to ensure compliance, including evaluating India-region alternatives for AI processing.

11. Children's Data

Our services are designed for business use — specifically for local businesses such as dental clinics, restaurants, hotels, and salons. We do not directly collect personal data from individuals under the age of 18.

    Note on patient records: Patient records managed through RecallPilot may include data relating to children (e.g., paediatric dental appointment reminders). This data is processed on behalf of the clinic or business, which is responsible for obtaining appropriate parental/guardian consent. RecallPilot acts as a Data Processor in these cases, not a Data Fiduciary for the child's data. If you believe we have inadvertently collected data from a minor without appropriate consent, please contact our Grievance Officer immediately.

12. Data Breach Notification

In the event of a personal data breach, we commit to:

Notifying the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act.
Notifying affected Data Principals (you) within 72 hours via WhatsApp and/or email, describing the nature of the breach and the steps being taken.
Documenting the breach, its effects, and the remedial actions taken.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will provide at least 30 days' advance notice via WhatsApp message and/or email to registered account holders.
The updated policy will be published at this URL with a new "Last Updated" date.
Continued use of our services after the notice period constitutes acceptance of the updated policy.

14. Grievance Officer

In accordance with the DPDP Act 2023, we have appointed a Grievance Officer to address your concerns regarding data processing:

Name: Sanjay Chaturvedi

Email: contact@recallpilot.in

Address: #1974B, 15th Cross, 24th Main, Sector-1, HSR Layout, Bengaluru, Bengaluru-560102

Response time: We will acknowledge your request within 48 hours and provide a substantive response within 30 days.

15. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of India, including but not limited to:

Digital Personal Data Protection Act, 2023 (DPDP Act)
Information Technology Act, 2000 and IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
Indian Contract Act, 1872

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India.